The user account running the Configuration Manager console requires permissions to access the site database through the SMS Provider. Any administrators who will use a remote Configuration Manager console require Remote Activation DCOM permissions on both the site server computer and the SMS Provider computer.
The SMS Admins security group is used to grant access permissions to the SMS Provider. User accounts for administrators that will run the Configuration Manager console must be a member of the SMS Admins group and the following procedure must be performed to grant the necessary DCOM activation permissions to the SMS Admins group.
|If during Configuration Manager 2007 installation you installed the SMS Provider on a remote computer, you must perform this procedure on both the site server and on the remote SMS Provider computer. If you installed the SMS Provider on the site server computer, you only need to perform this procedure on the site server.|
|The Configuration Manager console uses WMI to connect to the SMS Provider, and WMI internally uses DCOM. Therefore, Configuration Manager requires permissions to activate a DCOM server on the provider computer if the Configuration Manager console is running on a computer other than the SMS Provider. By default, Remote Activation is granted only to the members of a built-in Administrators group. Allowing the SMS Admins group to have Remote Activation permission would allow a member of SMS Admins to attempt DCOM attacks against the SMS Provider computer, and also increases the attack surface of the computer. You can mitigate this threat by carefully monitoring who is a member of the SMS Admins group. For more information regarding risk associated with allowing remote activation, see "DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1" at http://go.microsoft.com/fwlink/?LinkId=86101.|
To grant Remote Activation permissions to the SMS Admins group
From the Start menu, click Run and type Dcomcnfg.exe.
In Component Services, click Console root, expand Component Services, expand Computers, and then click My Computer. On the Action menu, click Properties.
In the My Computer Properties dialog box, on the COM Security tab, in the Launch and Activation Permissions section, click Edit Limits.
In the Launch Permissions dialog box, click Add.
In the Select User, Computers, or Groups dialog box, in the Enter the object names to select (examples): box, type SMS Admins and click OK.
In the Permissions for SMS Admins section, select the check box to allow Remote Activation.
Click OK twice, and then close Computer Management.